This is the 282nd article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, cloud and SaaS, or MSPs for the series PM Eric to get started.
We all love ingenious ideas, but when it comes to fixing and improving, you don't need to use your genius most of the time. Save that for more important things. The best ideas are the simple ones! As we’re a month into 2014 and our ambitious new year’s resolutions are now fading memories, let’s remember to resolve to be more secure this year — simply.
For cybercriminals, data is an easily tradable commodity, and your servers are where most of your company’s most valuable data lives. So, what can we do to protect from a data security breach? I’ve come up with a simple server deployment check list — some tips for securing your data against enemies, both foreign and domestic — that should prove downright handy for almost anyone involved in server deployment. This list is not exhaustive by any means but provides a useful starting point for protecting the areas where the good stuff sits.
1. File shares
Are the default permissions across the network too permissive? Set more restrictive permissions, even if only to “domain users.” This will save you a lots of time when setting up future shares (internal or external entities).
2. Use the principle of least privilege
Always assign permissions using the principle of “least privilege.” The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal operations. Applied to IT permissions, this translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle can also be applied to programs and processes.
3. Use domain groups
Never assign permissions to individual users; only use domain groups. It’s more scalable, easier to audit, and can carry over to new users or growing departments much more easily than individual user permissions.
4. Internet access
Teach your employees how dangerous oversharing on social networking sites can be. Your Internet usage policy should specify what social media usage is acceptable, even if you can’t stop them from sharing information on various social networking sites, you can opt to limit the amount of time spent on these sites while at work. Provide your users with secure Internet access by implementing an Internet-monitoring solution that allows safe browsing and allows work time spent on these sites to be managed. This reduces the chances of the company’s security perimeter being breached.
- Malware scanning — Scan all content for malware this includes downloads, streaming media or scripts contained in web pages. Just as you would never leave your front door open at night or when you’re away, your company’s virtual doors should never be left unguarded.
- Bandwidth restrictions — Protect your business-critical applications by deploying bandwidth restrictions, so users’ access to the Internet doesn’t adversely impact company functions like email, or the corporate website.
- BYOD— Create a “Bring Your Own Device” policy now, even if that policy is just to manage users in relation to bringing devices into the office or connecting over the VPN.
5. Email
The top reasons for data loss are employees opening attachments to or clicking links embedded in spam, not frequently changing passwords and using the same password for multiple access point and visiting restricted sites. This negligence puts critical business data at risk and exposes the company network to cybercriminals and malicious insiders.
- Inbound and outbound filtering — Deploy an email-filtering solution that can filter both inbound and outbound messages to protect your users and your customers.
- Blacklist your own domain to prevent spoofing— If you have no external users and don’t receive external mail from your own domain, you can block all inbound external mail from your domain as a way to block mails that use a spoofed address from your domain. Spam, and in particular phishing mails, will often be addressed from your own domain.
- Directory harvest prevention— Ensure that your endpoint devices will reject directory harvest attempts.
- Antivirus and antispam— Deploy mail-filtering software that protects users from the full range of email threats, including malware, phishing and spam. Spammers will also send spam directly to an IP address that may not even be listed in an MX record. I commonly see cases where a spam-filtering appliance is bypassed completely due to spammers sending mail direct to a server. If you’re using a spam-filtering appliance, restrict your mail server so it will only accept mail from the filter's IP.
Protecting your business from a security breach isn’t just about practising safe tech it’s also about having a good security policy in place, hiring the right people, and employing common sense.
---
What are your New Year’s security resolutions? Share your thoughts, questions and suggestions in the comments below.